Unless Congress steps in before Thursday, the FBI is about to get a lot more authority to hack into computers during criminal investigations.
Investigators can already get a warrant to remotely access information on the device of a suspect in a criminal case. But the warrant has to come from a judge located in the same district as the target device. If the agents don’t know the location and guess wrong—which can happen if the suspects use tools like the anonymizing service Tor—they could have evidence thrown out. That’s happened in a number of cases stemming from a 2014 investigation into hundreds of individuals involved with a child pornography site.
Under new rules set to take effect Thursday, a federal judge will be able to issue a warrant to remotely access, search, and seize or copy data from a computer outside the district if that computer’s location has been “concealed by technological means.” A similar rule change will also make it easier to investigate botnets like the one that caused a massive Internet outage last month. Investigators will be able to ask a judge to issue a single warrant to remotely search computers that are in five or more jurisdictions and have been “damaged without authorization.”
The U.S. Department of Justice says the changes—which are being made to Rule 41 of the Federal Rules of Criminal Procedure—are necessary for law enforcement to keep up with the kinds of crimes that are being committed online and do little more than streamline the warrant process. In a November 18 letter to Senator Ron Wyden of Oregon, assistant attorney general Peter Kadzik said the amendments “would not authorize the government to undertake any search and seizure or use any remote search technique … that is not already permitted under current law.”
But advocates for privacy and civil liberties, technology companies including Google, and opponents in Congress say the amendments open the door to a dangerous expansion of the government’s authority to conduct surveillance. They say the broad language in the amendments could apply to circumstances far beyond the ones the government describes. “Major policy decisions” like this should have to go through Congress, argues Wyden.
For example, concealing one’s location “by technological means” could refer to a wide range of technologies and behaviors, like using a virtual private network, using ad-blocking software that conceals geolocation, or even changing the location setting on a social-media profile. The language of the new rules suggests that if you do one of those things, and a judge deems your device relevant to a crime, law enforcement could get permission to access it. “If this rule is not stopped, anyone who is using any technological means to safeguard their location privacy could find themselves suddenly in the jurisdiction of a prosecutor-friendly or technically naive judge, anywhere in the country,” argues Rainey Reitman, activism director at the Electronic Frontier Foundation.
The other rule change is raising concerns about the Fourth Amendment rights of innocent people whose computers have been co-opted into a botnet, which can be composed of millions of computers located all around the world. Orin Kerr, a law professor at George Washington University who specializes in criminal procedure and computer crime—and who was part of the committee that proposed the rule changes—says Congress should consider what the government owes those machines’ owners. “Should the government do nothing, leaving the victim computers infected? Or should the government take steps to patch those computers, or to encourage others to patch them? And if so, how?”
Given such unanswered questions, opponents of the changes say Congress needs more time to deliberate; last week, a bipartisan group of senators introduced legislation that would delay action for six months. Whether Congress decides to allow the changes to take effect this week or delays them will help set the stage for debates over online privacy and cybersecurity policy under the Trump administration.
Woodrow Hartzog, a law professor at Samford University who specializes in privacy law, says the history of computer crime law shows that vague language can lead to unintended consequences as technology evolves. “Even slight vagaries or miscalculations can result in dramatic expansions of power,” he says, citing language in the Computer Fraud and Abuse Act, passed in 1986, that has created “an incredible amount of confusion” over what constitutes a crime. Given the stakes, Hartzog says, the changes to Rule 41 “would seem to require more deliberation and probably some sort of legislative corrective.”